Method and device for determining a full error description for at least on part of a technical system computer program element and computer-readable storage medium

ABSTRACT

Disclosed is a full error description for a technical system which is described by a system description which can be processed by a computer and stored. The system description contains information on elements available in system and information on the links therebetween. An element error description is determined for each element taken into consideration, using a stored error description which is respectively associated with a reference element. At least one part of the reference elements is grouped into a reference element group and a group error description is determined for the reference elements of a reference element group using a stored group error description which is respectively associated with a reference element group, enabling possible errors of the reference elements of the reference element group to be described. A full error description is determined from the element error descriptions and the group error descriptions, taking into account information on element links.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is based on and hereby claims priority to PCTApplication No. PCT/DE02/00315 filed on Feb. 28, 2002 and GermanApplication No. 101 08 053.0 filed on Feb. 20, 2001, the contents ofwhich are hereby incorporated by reference.

BACKGROUND OF THE INVENTION

The invention relates to the determination of a full error descriptionfor at least one part of a technical system.

Such a method is known where an error description is determined manuallyin the form of an error tree for a technical system.

Due to the manual determination of the error description, theuncoordinated and therefore unsystematic compilation of the errordescription in particular and therefore the possible incompleteness andlack of formally demonstrable correctness of the error tree determinedare considerable drawbacks. These drawbacks take on considerablesignificance in particular in the case of complex safety-criticalsystems, the development of which has to be subject to highrequirements.

A further drawback in the case of manual determination of an error treecan be seen in the fact that it frequently cannot be determined within aplanned time and cost frame due to the exceptional complexity of thesystem to be described. The quality of a manually compiled error tree istherefore doubtful in relation to any proof of safety which may possiblybe required. In particular, there is a danger that critical situationswithin the system are not noticed, which could result in threats to thetechnical system.

An error tree, as described in DIN 25424-1: Fehlerbaumanalyse, Methodenund Bildzeichen (“Error tree analysis, methods and graphic symbols”),September 1981, means a structure which describes logical relationshipsbetween input variables of the error tree, which input variables resultin a predefined undesirable result.

Principles relating to error tree analysis are known from DIN 25424-2:Fehlerbaumanalyse; Handrechenverfahren zur Auswertung eines Fehlerbaums(“Error tree analysis; manual calculation method for evaluating an errortree”), April 1990, Berlin, Beuth Verlag GmbH (“DIN 25424-2 reference”).Various methods relating to error tree analysis are also described inDIN 25424-2 reference.

A method of compiling an error tree is known from IEEE Software, pages48-59, July 1991 (“IEEE reference”), where an attempt is made with theerror tree, albeit in an unreliable and incomplete manner, toinvestigate predefined program code using reference error trees forpredefined command types of a computer program.

Furthermore, a method of determining a full error description for atechnical system is described in P. Liggesmeyer, O. Mäckel,Automatisierung erweiterter Fehlerbaumanalysen für komplexe technischeSysteme (“Automation of expanded error tree analysis for complextechnical systems”), at Automatisierungstechnik, Oldenbourg Verlag, pp.67-76, No. 2, February 2000. In this method, a full error description isdetermined for the technical system which is described by a storedsystem description which can be processed by the computer. The systemdescription contains information on elements available in the system andon the links between them. An element error description is determinedfor each element taken into consideration, using a stored errordescription which is respectively associated with a reference element. Afull error description is determined from the element errordescriptions, taking into account information on element links.

SUMMARY OF THE INVENTION

One possible aspect of the invention arises from the problem ofdetermining an error description for at least one part of a technicalsystem which is more reliable than an error tree determined by a knownmethod.

In the case of a method for determining a full error description for atleast one part of a technical system, by a computer, the system isdescribed by a stored system description which can be processed by thecomputer. The system description contains information on elementsavailable in the system and on the links between them. An element errordescription is determined for each element taken into consideration,using a stored error description which is respectively associated with areference element, by which possible errors of the respective elementare described. Possible errors of a respective reference element aredescribed by an error description of the reference element. At least onepart of the reference elements is grouped into a reference elementgroup. In other words, a plurality of reference elements is grouped intoa reference element group. A group error description is determined forthe reference elements of a reference element group using a stored grouperror description which is respectively associated with a referenceelement group, by which possible errors of the reference elements of thereference element group are described. A full error description isdetermined from the element error descriptions and the group errordescriptions, taking into account information on element links.

A configuration for determining a full error description for at leastone part of a technical system displays a processor which is arranged insuch a manner that the following steps can be carried out:

-   -   the system is described by a stored system description which can        be processed by the configuration,    -   the system description includes information on elements        available in the system and on the links between them,    -   an element error description is determined for each element        taken into consideration, using a stored error description which        is respectively associated with a reference element, by which        possible errors of the respective element are described,    -   possible errors of a respective reference element are described        by an error description of the reference element,    -   at least one part of the reference elements is grouped into a        reference element group,    -   a group error description is determined for the reference        elements of a reference element group using a stored group error        description which is respectively associated with a reference        element group, by which possible errors of the reference        elements of the reference element group are described, and    -   a full error description is determined from the element error        descriptions and the group error descriptions, taking into        account information on element links.

A computer program element contains a computer-readable storage mediumon which a program is stored which allows a computer, once it has beenloaded into a memory of the computer, to carry out the following stepsfor the purposes of determining a full error description of at least onepart of a technical system:

-   -   the system is described by a stored system description which can        be processed by the configuration,    -   the system description includes information on elements        available in the system and on the links between them,    -   an element error description is determined for each element        taken into consideration, using a stored error description which        is respectively associated with a reference element, by which        possible errors of the respective element are described,    -   possible errors of a respective reference element are described        by an error description of the reference element,    -   at least one part of the reference elements is grouped into a        reference element group,    -   a group error description is determined for the reference        elements of a reference element group using a stored group error        description which is respectively associated with a reference        element group, by which possible errors of the reference        elements of the reference element group are described, and    -   a full error description is determined from the element error        descriptions and the group error descriptions, taking into        account information on element links.

A program is stored on a computer-readable storage medium which allows acomputer, once it has been loaded into a memory of the computer, tocarry out the following steps for the purposes of determining a fullerror description of at least one part of a technical system:

-   -   the system is described by a stored system description which can        be processed by the configuration,    -   the system description includes information on elements        available in the system and on the links between them,    -   an element error description is determined for each element        taken into consideration, using a stored error description which        is respectively associated with a reference element, by which        possible errors of the respective element are described,    -   possible errors of a respective reference element are described        by an error description of the reference element,    -   at least one part of the reference elements is grouped into a        reference element group,    -   a group error description is determined for the reference        elements of a reference element group using a stored group error        description which is respectively associated with a reference        element group, by which possible errors of the reference        elements of the reference element group are described, and    -   a full error description is determined from the element error        descriptions and the group error descriptions, taking into        account information on element links.

One aspect of the method and system allows a full error description tobe determined for at least one part of a technical system where thecompleteness and also the consistency and absence of errors of the fullerror description determined is guaranteed.

A further advantage can be seen in the fact that the invention allowsautomatic determination of the full error description.

Furthermore, the method and system may achieve the result thatpotentially safety-related relationships between the individualcomponents of the technical system, or in other words between thereference elements of a reference element group, can be detected andtherefore taken into account.

The determination of a full error description is therefore also lesscostly and considerably quicker to carry out than with the known methodsand also results in improved consideration of more complex errorrelationships between components of a component group in the technicalsystem.

In the following, a ‘technical system’ means a system which can bedescribed by a system description in which individual elements of thetechnical system and their links with each other are possible for thepurposes of describing the technical system. An example of such atechnical system can be seen in an electrical circuit configurationwhich is described for example with the aid of so-called net lists in astructure description language, for example EDIF, SPICE or VHDL. Afurther example of such a technical system can be seen in an industrialplant, for example a power plant, or a large industrial plant, forexample a rolling mill, if the respective plant can be described interms of its respective elements and their links.

The method and system are therefore not restricted to a very specifictechnical system but is applicable to any technical system whichincludes elements which can be described respectively in the context ofa system description together with information on the element links.

Reference elements are predefined elements stored in a computer whichcan be contained in such a respectively considered technical system. Anerror description is respectively associated with a reference element,by which possible errors of the respective reference element aredescribed. A ‘reference element’ means for example an elementary device,a block, which can contain devices and further blocks or logicallydescribed components, for example an AND gate.

A ‘reference element group’ means by way of illustration a group ofreference elements preferably composed according to a predefinedgrouping criterion, i.e. grouped, for example a plurality of referenceelement groups of the same type. An example of such a reference elementgroup is a plurality of logic gates with a specific functionality, forexample a plurality of:

-   -   AND gates,    -   EXCLUSIVE OR gates,    -   NAND gates,    -   AND gates,    -   INCLUSIVE-OR gates.

Furthermore, devices of the same type, for example optocouplers,amplifier elements, etc, can also be respectively grouped into areference element group. In general, the grouping can be effectedaccording to a freely predefinable grouping rule.

Preferred developments of invention result from the dependent claims.

The group error description can contain at least one error which has aneffect on several reference elements of the reference element group.This version allows errors which, for example in the case of componentswhich are implemented together on one chip but are connected indifferent local areas of the overall system, e.g. of an overallelectrical circuit, occur on the chip and therefore result in aplurality of errors in different circuit areas, to be determined veryquickly and simply.

The system description can be present in a hardware structuredescription language, for example in EDIF, SPICE, VHDL, etc.

Furthermore, the system description can include information on aninformation flow direction which indicates the direction in whichinformation is propagated within the technical system. The determinationof the full error description can be effected taking account of theinformation flow direction in this case.

Consequently, the determination of the full error description is furthersimplified and therefore even quicker to carry out.

In one development, the error description can be present in the form ofa stored error tree. The element error description is determined as anelement error tree and the full error description is determined as afull error tree in this case.

This development allows a standardized analysis of the technical systemwhich ensures easier understanding of the full error description by auser since users accept a standardized representation of the full errordescription more easily and in clearer form.

In a further version, the error description can be present in the formof an equation which describes possible states of the reference element.In this case, the element error description is determined as an elementequation and the full error description as a full error equation.

This version allows interactions between individual elements of thetechnical system to be taken into account in a simple manner. Thebehavior of the individual elements of the technical system in thenormal case and in the presence of failures, i.e. errors, is customarilydescribed respectively by a Boolean equation. The equation system issolved for the considered predefined undesirable effect of therespective error description.

The full error equation can be converted into a full error tree.

At least one reference element can describe an element of an electricalcircuit, for example an electrical resistor, a capacitor, an electricalcoil, a transistor, an operational amplifier, etc.

The method and system can be employed advantageously for the purposes oferror analysis of the technical system, for example by employing themethods described in IEEE reference.

In a further version, the full error description is determined as a fullerror tree and the full error tree is changed in relation topredefinable framework conditions, for example by adding a supplementaryerror tree.

This further version allows the determination of the full errordescription and the full error description itself to become moreflexible and therefore, for a user, easier to handle and easier to adaptto actual requirements in the analysis of the technical system.

Such a framework condition can be an additional condition in relation toelectromagnetic compatibility of an electrical circuit, which is alsodescribed in the form of an error tree and is fed into the full errordescription in the form of a supplementary error tree.

The method and system can be implemented both in software and also inhardware.

The developments described above apply both to the method, theconfiguration, the computer program element and also thecomputer-readable storage medium.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other objects and advantages of the present invention willbecome more apparent and more readily appreciated from the followingdescription of the preferred embodiments, taken in conjunction with theaccompanying drawings of which:

FIG. 1 is a configuration with a processor and a memory for the purposesof carrying out the method;

FIG. 2 is a flowchart in which individual steps of the method arerepresented according to the exemplary embodiments;

FIG. 3 is a further flowchart in which individual steps of the exemplaryembodiments are represented;

FIG. 4 is a circuit configuration on the basis of which the exemplaryembodiments are represented;

FIGS. 5 a and 5 b are a representation of two error trees for anelectrical resistor;

FIGS. 6 a and 6 b are a representation of two error trees for atransistor in common emitter connection;

FIGS. 7 a and 7 b are a representation of two error trees for anelectrical capacitor;

FIGS. 8 a and 8 b are a representation of two error trees for anelectrical coil;

FIGS. 9 a and 9 b are a representation of two error trees for a generalblock which represents an electrical element with a plurality of inputsand one output;

FIGS. 10 a and 10 b are a representation of two element error trees foran AND gate;

FIG. 11 is a representation of a full error tree for the circuitconfiguration in FIG. 4;

FIG. 12 is a representation of a refined full error tree for the circuitconfiguration in FIG. 4;

FIG. 13 is a sketch of a circuit configuration on the basis of which thesecond exemplary embodiment is represented;

FIGS. 14 a, 14 b, 14 c and 14 d are a representation of four error treesfor the purposes of describing the second exemplary embodiment;

FIG. 15 is a sketch of four NAND gates which are implemented together onone chip;

FIG. 16 is a sketch of two optocoupler circuits which are implementedtogether on one chip;

FIGS. 17A and 17B are a sketch of two circuits considered independentlyon one another which respectively display an optocoupler circuit (FIG.17A) and a sketch of two circuits considered combined into one blockwhich respectively display an optocoupler circuit (FIG. 17B);

FIGS. 18A and 18B are a representation of a full error tree for thecircuit configuration in FIG. 17A (FIG. 18A) and a representation of afull error tree for the circuit configuration in FIG. 17B (FIG. 18B);

FIG. 19 is a circuit configuration with the two optocouplers accordingto FIG. 17A and FIGS. 17A and 17B and an AND gate respectively connectedto the respective voltage divider; and

FIGS. 20A and 20B are a representation of a full error tree of thecircuit configuration in FIG. 19 for the eventuality that no group errortree is taken into account (FIG. 20A) and for the eventuality that thegroup error tree according to FIG. 18B is inserted for the twooptocouplers.

FIG. 1 shows a computer 100 with which the methods described in thefollowing are carried out. The computer 100 displays a processor 101which is connected to a memory 102 via a bus 103. The program 104 whichis executed for the purposes of carrying out the methods described inthe following is stored in the memory 102. Furthermore, a systemdescription 105, which describes a technical system 115 to beinvestigated, is stored in the memory 102.

In the exemplary embodiments described in the following, an electricalcircuit is described as the technical system 115. In this case, a netlist 105 is stored in the memory 102, which describes the individualelements of the electrical circuit and also the links between them andthe information flow direction, i.e. information on how electricalsignals are propagated within the electrical circuit.

Furthermore, the computer includes an input/output interface 106 whichis also connected via the bus 103 both to the memory 102 and also to theprocessor 101.

The input/output interface 106 is connected via a first link 107 to anexternal storage medium 108, for example a CD-ROM or a floppy diskdrive. Via a second link 109, the computer 100 is connected to akeyboard 110. Via a third link 111, the computer 100 is connected to acomputer mouse 112.

A fourth link 113 connects a display screen 114 to the input/outputinterface 106.

FIG. 2 shows a sketch which represents the basic procedure according tothe exemplary embodiments described in the following. In a first step(Step 201), a CAD circuit diagram of an electrical circuit to beinvestigated is input into the memory 102 of the computer 100. Thecircuit diagram is present in an electronic form which can be processedby the computer 100, and in the exemplary embodiments in the form of anet list of the circuit structure description language EDIF. The netlists contain information on the electrical devices contained in theelectrical circuit, designated in the following as elements of theelectrical circuit, and also the links between them and information onthe propagation of information within the electrical circuit, i.e. thepropagation of electrical signals within the circuit.

Furthermore, predefined error trees of predefined elements 202 of anelectrical circuit are stored in the memory 102. Error trees for variouselectrical circuit components (devices) are described in detail in thefollowing. Each error tree is associated with a reference element of anelectrical circuit.

Possible errors of the respective reference element are described by theerror description, as is explained in further detail in the following.Failure data 207, i.e. failure probabilities, are respectively alsoassociated with individual elements, by which the error probability ofthe respected reference element is described.

Furthermore, predefined group error trees of predefined element groupsof elements 202 of an electrical circuit are stored in the memory 102.Group error trees of various electrical circuit components (devices) aredescribed in detail in the following. Each group error tree isassociated with all reference elements of a reference element group ofan electrical circuit. Possible errors of the respective referenceelements of a reference element group are described by the group errordescription, as is explained in further detail in the following. Groupfailure data, i.e. failure probabilities, are respectively alsoassociated with individual element groups, by which the errorprobability of a reference element of a respective reference elementgroup is described.

The grouping of the elements into element groups and therefore thegrouping of reference elements into reference element groups is effectedaccording to this exemplary embodiment in such a manner that elements ofthe same type implemented together on one chip, but with which differentterminals are associated, are grouped into one reference element group.Since the elements are present in a net list, the net list is thereforeanalyzed with a view to identical device designations and the elementsof the same type are respectively grouped into an element group forwhich a reference element group is formed.

In a further step (Step 203), the dependencies of the individualelements are determined with a view to possible errors occurring withinthe electrical circuit, and also the dependencies of individual elementsof an element group with a view to possible errors occurring within theelectrical circuit, for example with a view to errors possibly occurringon a chip on which the elements of an element group are implemented, anda dependency graph (204) is defined.

In one step (Step 205), an undesirable event is predefined by a user forthe purposes of determining a full error tree.

For the purposes of determining the full error tree for the respectiveundesirable event considered, the effects of possible errors of theelements are analyzed for the electrical circuit, in an analysis step(Step 206), on the basis of predefined error probabilities of theindividual elements in relation to different error types with regard tothe predefined undesirable event considered. In the process, the grouperror descriptions of the elements of the element groups taken intoaccount are also taken into account.

The result of the analysis step 206 is the full error tree 208.

In a further step (Step 209), the error tree for a simplified error tree210, which is designated as a cause/effect graph in the following, ismapped.

Furthermore, an incidence probability 211 of the undesirable eventconsidered is determined.

Furthermore, taking account of the individual error data of the elementsfor the electrical circuit, particularly critical elements 212 aredetermined which display a particular risk for the undesirable eventconsidered.

As represented in FIG. 3, an element error description is determined foreach element taken into consideration, using a stored error descriptionwhich is respectively associated with a reference element, in a firststep (Step 301). Possible errors of a respective reference element aredescribed by an error description of the reference element (Block 302).

Furthermore, in a further step (Step 303), at least one part of thereference elements is grouped into reference element groups (Step 303)according to a predefined grouping criterion using a stored group errordescription which is respectively associated with a reference elementgroup.

Possible errors of the reference elements of a reference element group,which preferably have an effect on several or all reference elements ofthe respective reference element group, are described by the group errordescription of a reference element group (Block 304).

A full error description in relation to the predefined undesirable event205 considered is determined from the element error descriptions and thegroup error descriptions, taking into account information on elementlinks (Step 305).

A first exemplary embodiment is described in the following, where theerror description of a reference element is stored in the form of anerror tree for the respective reference element.

In the case of the method according to the first exemplary embodiment,the linking of the individual elements of the electrical circuit is usedas the basis for the generation of the full error tree relating to therespectively predefined undesirable event 205 considered.

FIG. 4 shows a simple electrical circuit 400. The electrical circuit 400displays an AND gate 401 and also a first resistor R₁, a second resistorR₂ and also an npn bipolar transistor T₁. The AND gate 401 displays twoinputs 402 and 403, to which input signals In₁ and In₂ can be applied.Furthermore, the AND gate 401 is connected to a ground terminal 404 anda further terminal 405. The further terminal 405 displays an electricalpotential of 5 Volts. An output 406 of the AND gate 401 is connected tothe second resistor R₂. The second resistor R₂ is connected via a secondterminal 407 to the base terminal of the transistor T₁. The emitterterminal of the transistor T₁ is connected to the ground terminal 404.The collector terminal 408 is connected to the first resistor R₁, whichin turn is connected to the first terminal 405. An output 409 of theelectrical circuit 400, at which an output signal Out₁ can be sampled,is also connected to the collector terminal 408.

One error tree respectively for an erroneous output signal of therespective reference element is described in the following for variousreference elements of the electrical circuit 400, respectively for anerroneous High level (erroneous electrical potential of 5 Volts, “H”)and an erroneous Low level (erroneous electrical potential of 0 Volts,“L”) which exists at an output of the respectively considered referenceelement. The respective error trees are stored in the memory 102 of thecomputer 100.

Reference Element: Electrical Resistor

FIG. 5 a and FIG. 5 b show two error trees 500 and 510 which describe,for an electrical resistor, the causes of an erroneous signal level atthe output of the resistor.

FIG. 5 a represents the error tree 500 for an electrical resistor in thecase of an assumed erroneous High level (H) at the output of theelectrical resistor 501. An erroneous High level is caused if the inputsignal at the resistor erroneously displays a High level 503 or if theelectrical resistor is firstly short-circuited and the input of theelectrical resistor displays a High level. The result for the error treeis therefore the representation that the erroneous High level at theoutput 501 can be described by the INCLUSIVE-OR operation 502 of theevent that the input of the resistor erroneously displays a High level503 together with a logic event 504. The caused logic event 504 isformed by an AND operation 505 of the events that the electricalresistor is short-circuited 506 and the input of the electrical resistordisplays a High level 507.

FIG. 5 b describes a second error tree 510 for a further predefinedundesirable event, specifically an erroneous Low level (L) which existsat the output of the electrical resistor 511.

Such an undesirable, erroneous event occurs in the case of anINCLUSIVE-OR operation 517 of a first event 512, specifically that theinput of the electrical resistor erroneously displays a Low level,together with a second logic event 513, which results due to an ANDoperation 514 from the events that the electrical resistor isshort-circuited 515 and that a Low level exists 516 at the input of theelectrical resistor.

Reference Element: Transistor in Emitter Connection

FIG. 6 a and FIG. 6 b show two error trees 600 and 610 for an npnbipolar transistor in emitter connection. A first error tree 600describes the possible events which result in an erroneous High level atthe output of the transistor 601.

The erroneous High level at the output of the transistor (601) occurs inthe case of an INCLUSIVE-OR operation 602 of the following events:

-   -   a High level exists 603 erroneously at the emitter terminal of        the transistor;    -   a Low level exists 604 erroneously at the base terminal of the        transistor;    -   the transistor itself is broken, e.g. blown 605;    -   the collector resistor of the transistor is short-circuited 606.

The second error tree 610 for the npn bipolar transistor shows possiblecauses of an erroneous Low level at the output of the transistor 611.

The erroneous Low level at the output is described completely by anINCLUSIVE-OR operation 612 of the following events:

-   -   the base terminal of the transistor erroneously displays a High        level 613;    -   the transistor itself is short-circuited 614;    -   the collector resistor of the transistor is blown 615;    -   the collector resistor of the transistor erroneously displays a        Low level 616.

Reference Element: Electrical Capacitor

FIG. 7 a and FIG. 7 b show a first error tree 700 (cf. FIG. 7 a) and asecond error tree 710 (cf. FIG. 7 b) for an electrical capacitor as thereference element of an electrical circuit.

The error trees have the same structure as the error trees 500 and 510for an electrical resistor.

FIG. 7 a represents the error tree 700 for an electrical capacitor inthe case of an assumed erroneous High level (H) at the output of theelectrical capacitor 701. An erroneous High level is caused if the inputsignal at the capacitor erroneously displays a High level 703 or if theelectrical capacitor is firstly short-circuited and the input of theelectrical capacitor displays a High level. The result for the errortree is therefore the representation that the erroneous High level atthe output 701 can be described by the INCLUSIVE-OR operation 702 of theevent that the input of the resistor erroneously displays a High level703 together with a logic event 704. The logic event 704 is formed by anAND operation 705 of the events that the electrical capacitor isshort-circuited 706 and the input of the electrical capacitor displays aHigh level 707.

FIG. 7 b describes a second error tree 710 for a further predefinedundesirable event, specifically an erroneous Low level (L) which existsat the output of the electrical capacitor 711.

Such an undesirable, erroneous event occurs in the case of anINCLUSIVE-OR operation 717 of a first event 712, specifically that theinput of the electrical resistor erroneously displays a Low level,together with a second logic event 713, which results due to an ANDoperation 714 from the events that the electrical capacitor isshort-circuited 715 and that a Low level exists 716 at the input of theelectrical capacitor.

Reference Element: Electrical Coil

FIG. 8 a and FIG. 8 b show a first error tree 800 (cf. FIG. 8 a) andalso a second error tree 810 (cf. FIG. 8 b) for an electrical coil.

The error trees have the same structure as the error trees 500 and 510for an electrical resistor.

FIG. 8 a represents the error tree 800 for an electrical capacitor inthe case of an assumed erroneous High level (H) at the output of theelectrical coil 801. An erroneous High level is caused if the inputsignal at the coil erroneously displays a High level 803 or if theelectrical coil is firstly short-circuited and the input of theelectrical coil displays a High level. The result for the error tree istherefore the representation that the erroneous High level at the output801 can be described by the INCLUSIVE-OR operation 802 of the event thatthe input of the resistor erroneously displays a High level 803 togetherwith a logic event 804. The logic event 804 is formed by an ANDoperation 805 of the events that the electrical coil is short-circuited806 and the input of the electrical coil displays a High level 807.

FIG. 8 b describes a second error tree 810 for a further predefinedundesirable event, specifically an erroneous Low level (L) which existsat the output of the electrical coil 811.

Such an undesirable, erroneous event occurs in the case of anINCLUSIVE-OR operation 817 of a first event 812, specifically that theinput of the electrical coil erroneously displays a Low level, togetherwith a second logic event 813, which results due to an AND operation 814from the events that the electrical coil is short-circuited 815 and thata Low level exists 816 at the input of the electrical coil.

Reference Element: General Block with n Inputs and One Output

FIG. 9 a and FIG. 9 b show a first error tree 900 (cf. FIG. 9 a) and asecond error tree 910 (cf. FIG. 9 b) for a block with any internalbehavior, which is described solely by the behavior at the terminals ofthe block. The block displays n (n=1 . . . ∝) terminals.

An erroneous High level at the output of the block 901 occurs in thecase of an INCLUSIVE-OR operation 902 of the following events (cf. firsterror tree 900):

-   -   a first input of the block displays an erroneous level 903;    -   a second input of the block displays an erroneous level 904;    -   etc.;    -   input n of the block displays an erroneous level 905;    -   the block itself displays erroneous behavior, i.e. a failure        exists inside the block 906;    -   the supply voltage applied to the block is erroneous 907.

An erroneous Low level at the output 911 is caused by the followingINCLUSIVE-OR operation 912 of the following events, which arerepresented in the second error tree 910:

-   -   a first input is erroneous 913;    -   a second input is erroneous 914;    -   etc.;    -   input n is erroneous 915;    -   a failure occurs inside the block 916;    -   the supply voltage is erroneous 917.

Reference Element: AND Gate

FIG. 10 a and FIG. 10 b show a first error tree 1000 (cf. FIG. 10 a) andalso a second error tree 1020 (cf. FIG. 10 b) for an AND gate.

The first error tree 1000 describes the events which result in anerroneous High level at the output of the AND gate 1001.

Such an erroneous High level at the output 1001 results in the case ofan INCLUSIVE-OR operation 1002 of the following events:

-   -   an erroneous supply voltage 1003;    -   an internal failure of the AND gate (the output of the AND gate        erroneously displays a High level) 1004;    -   a first interim event 1005 which results from a first AND        operation 1006 of the events that the first input of the AND        gate displays a High level 1007 and the second input of the AND        gate erroneously displays a High level 1008;    -   a second interim event 1009 which results from an AND operation        1010 of the events that the second input displays a High level        1011 and that the first input erroneously displays a High level        1012.

The second error tree 1020 describes the causes which result in anerroneous Low level at the output of the AND gate 1021.

An erroneous Low level at the output of the AND gate results due to anINCLUSIVE-OR operation 1022 of the following events:

-   -   the first input erroneously displays a Low level 1023;    -   the second input of the AND gate erroneously displays a Low        level 1024;    -   the AND gate itself is broken, i.e. the output of the AND gate        erroneously displays a Low level 1025;    -   the supply voltage is erroneous 1026.

FIG. 15 shows four NAND gates 1501, 1502, 1503 and 1504 which areimplemented together on one chip 1500, for example the chip 74VHC00. Thefirst NAND gate 1501 displays a first input terminal 1505, a secondinput terminal 1506 and a first output terminal 1507. The second NANDgate 1502 displays a third input terminal 1508, a fourth input terminal1509 and a second output terminal 1510. The third NAND gate 1503displays a fifth input terminal 1511, a sixth input terminal 1512 and athird output terminal 1513. The fourth NAND gate 1504 displays a seventhinput terminal 1514, an eighth input terminal 1515 and a fourth outputterminal 1516.

The individual NAND gates 1501, 1502, 1503 and 1504 are grouped into agroup according to this exemplary embodiment and a group error tree iscompiled which describes the possible error relationships which exist inthe case of the occurrence of an error on the chip 1500.

The group error tree is stored and integrated into the full error treeif one of the NAND gates 1501, 1502, 1503 and 1504 is taken into accountin the full error description.

FIG. 16 shows an electrical circuit with a first optocoupler 1601 and asecond optocoupler 1602 which are also both integrated on one chip 1600,the chip ILDF217 according to this exemplary embodiment.

The first optocoupler 1601 displays a first input terminal 1603 and asecond input terminal 1604 and also a first output terminal 1605 and asecond output terminal 1606. The second optocoupler 1602 displays athird input terminal 1607 and a fourth input terminal 1608 and also athird output terminal 1609 and a fourth output terminal 1610.

The individual optocouplers 1601 and 1602 are grouped into a groupaccording to this exemplary embodiment and a group error tree iscompiled which describes the possible error relationships which exist inthe case of the occurrence of an error on the chip 1600.

The group error tree is stored and integrated into the full error treeif one of the optocouplers 1601 and 1602 is taken into account in thefull error description.

FIG. 17A shows, for the purposes of further elucidation, a firstoptocoupler circuit 1701 and a second optocoupler circuit 1702 which areboth implemented on the optocoupler chip 1600 according to FIG. 16 butare considered as mutually independent circuit components.

The first optocoupler circuit 1701 displays a first electrical resistor1703 which is connected to the first input terminal 1603. A firstvoltage divider is connected to the second output terminal 1606 togetherwith a second electrical resistor 1704 and a third electrical resistor1705.

The second optocoupler circuit 1702 displays a fourth electricalresistor 1706 which is connected to the third input terminal 1607. Asecond voltage divider is connected to the fourth output terminal 1610together with a fifth electrical resistor 1707 and a sixth electricalresistor 1708.

FIG. 18 a represents a first error tree 1800 for the first optocouplercircuit 1701 in FIG. 17A in the case of an assumed erroneous High level(H) at the second output terminal 1606 and also a second error tree 1801for the second optocoupler circuit 1702 in the case of an assumederroneous High level (H) at the fourth output terminal 1610. The firstand second error trees describe the errors in the case of input signalsand signal forms considered on a mutually independent, i.e. notcorrelated, basis.

An erroneous High level at the second output terminal 1606 is caused ifan internal error has occurred in the first optocoupler 1601 or anerroneous level exists at a minimum of one of the following terminals:

-   -   an erroneous High level at the first output terminal 1605,    -   an erroneous High level at the first input terminal 1603,    -   an erroneous Low level at the second input terminal 1604.

An erroneous High level at the fourth output terminal 1610 is caused ifan internal error has occurred in the second optocoupler 1602 or anerroneous level exists at a minimum of one of the following terminals:

-   -   an erroneous High level at the third output terminal 1609,    -   an erroneous High level at the third input terminal 1607,    -   an erroneous Low level at the fourth input terminal 1608.

FIG. 17B shows, for the purposes of elucidation, the optocouplercircuits 1701 and 1702 in FIG. 17A, where the two optocouplers 1601 and1602 are grouped into an optocoupler group 1709, since the twooptocouplers 1601 and 1602 are integrated together on one chip andtherefore an error in the chip can have effects on both optocouplers1601 and 1602.

FIG. 18B correspondingly shows the group error tree for the optocouplergroup 1709 according to FIG. 17B.

The group error tree 1803 essentially displays the components of thefirst error tree 1801 and the second error tree 1802 with the differencethat the error scenario that the error scenarios “internal error in thefirst optocoupler 1601” 1804 and “internal error in the secondoptocoupler 1602” 1805 are combined into a group error scenario“internal error in the optocoupler chip 1600” 1806.

Consequently, a further error hierarchy level is clearly introducedwhich allows a more improved error analysis.

This procedure is carried out correspondingly transferred to theformula-based error description as elucidated in detail in thefollowing.

For the purposes of determining the full error description of theelectrical circuit, a user defines an undesirable event to be consideredat a terminal defined by the user. It is assumed in the following thatan erroneous High level at the output 409 of the electrical circuit 400is defined as the undesirable event, i.e. the output signal Out₁ shoulddisplay a level of 5 Volt (High level).

The net list which describes the configuration according to FIG. 4 isinvestigated by a suitable parser for the elements contained in thecircuit. A check is carried out in a further step as to whether thecorresponding elements are already stored as reference elements in thememory 102.

It is assumed in the following that this is the case for all elementswhich are contained in the circuit represented in FIG. 4.

Then the corresponding error tree for the considered element orreference element is determined respectively in a search directedbackward from the output 409 and added as an element error tree to thefull error tree. A successive progression from the output 409 of theelectrical circuit 400 to the inputs 402 and 403 of the electricalcircuit 400 therefore allows a module-like compilation of the full errortree which results, on the basis of the automatic procedure by thecomputer, in a demonstrably complete full error tree. This ultimatelyensures a reliable description of all possible errors within theelectrical circuit which result in the predefined undesirable event.

A full error tree resulting according to the above description for thecircuit represented in FIG. 4 is represented in FIG. 11. The progressiondescribed above is elucidated once again in detail on the basis of thisrepresentation.

The undesirable event 1101 is defined by the user as an erroneous Highlevel of the output signal Out₁.

The erroneous High level results on the basis of an INCLUSIVE-ORoperation 1102 of an erroneous High level which is caused by the firstelectrical resistor R₁ or by an erroneous High level which exists at theoutput of the transistor T₁. On the basis of the stored error trees forthe reference elements of electrical resistor and npn bipolar transistorin emitter connection, the result, subject to the precondition that theinput of the first electrical resistor R₁ is at High level, is that anerroneous High level can only occur at the output of the firstelectrical resistor R₁ if the first electrical resistor R₁ isshort-circuited 1103.

Determination of the element error tree for the transistor T₁ from thefirst error tree 600 of the npn bipolar transistor in emitter connectionresults in the fact that the output signal Out₁ erroneously displays aHigh level if the collector resistor of the transistor T₁ isshort-circuited 1104 or the transistor T₁ is blown 1105 or the emitterterminal of the transistor T₁ erroneously displays a High level 1106. Afurther cause of an erroneous output signal Out₁ with a High level isthat the base terminal of the transistor erroneously displays a Lowlevel 1107.

The structural information contained in the net list then results in thefact that an erroneously Low level at the base terminal of thetransistor T₁ results on the basis of an INCLUSIVE-OR operation 1108which results on the basis of the second error tree 510 for anelectrical resistor, mapped to the second electrical resistor R₂ in theelectrical circuit 400.

The erroneous Low level at the output 407 of the second electricalresistor R₂ occurs if the second terminal 406, as the input of thesecond electrical resistor R₂, erroneously displays a Low level 1109 orin the case of the presence of an AND operation 1110 of the followingevents:

-   -   the second electrical resistor R₂ is short-circuited 1111;    -   the second terminal 406 displays, as the input of the second        electrical resistor R₂, a Low level 1112.

The net list furthermore indicates that the second terminal 406 issimultaneously also the output of the AND gate 401 of the electricalcircuit 400. An erroneous Low level at the input of the secondelectrical resistor R₂ is therefore dependent on the second error tree1020 of an AND gate, in this case the AND gate 401 of the electricalcircuit 400.

The result is therefore that an erroneous Low level at the input of thesecond electrical resistor R₂ results due to an INCLUSIVE-OR operation1113 of the following events:

-   -   the first input signal In₁ is erroneous 1114;    -   the second input signal In₂ is erroneous 1115;    -   the AND gate 401 itself is broken 1116;    -   the supply voltage for the AND gate 401 is erroneous 1117.

Taking direct account of the second error tree for 1020 for an AND gateresults in the refined full error tree 1200 represented in FIG. 12 forthe electrical circuit 40 with regard to an erroneous High level at theoutput 409 of the electrical circuit 400.

In the refined error tree, the coinciding elements and events in FIG. 11and FIG. 12 are labeled with the same reference symbols.

The refined representation results in the fact that the erroneous Lowlevel at the input of the second electrical resistor R₂ 109 results dueto an INCLUSIVE-OR operation 1113 of the following events:

-   -   the supply voltage of the AND gate 401 is erroneous 1117;    -   the output of the AND gate erroneously displays a Low level        1201;    -   a first transistor interim signal 1203 resulting on the basis of        a first transistor AND OPERATION 1202 displays a High level if        the first input signal In₁ displays a Low level 1204 and the        second input signal In₂ erroneously displays a Low level 1205;    -   a second transistor interim signal 1207 resulting on the basis        of a second transistor AND operation 1206 displays a High level        if the first input signal In₁ erroneously displays a Low level        1208 and the second input signal In₂ displays a Low level 1209.

The full error tree 1200 for the electrical circuit is thereforedetermined in relation to an erroneous output signal Out₁ at High level.

If an element of a reference element group is contained in therespective circuit, the respective group error tree is employedcorrespondingly in the generation of the full error tree.

The error tree is stored in the memory 102 of the computer andrepresented for the user on the display screen 114 on request.

FIG. 19 shows a further circuit configuration 1900 which displays thetwo optocoupler circuits 1701 and 1702 and also an AND gate 1901. Afirst input terminal 1902 of the AND gate 1901 is coupled to the secondelectrical resistor 1704 and a second input terminal 1903 to the fifthelectrical resistor 1707. An output signal of the further circuitconfiguration 1900 exists at an output terminal 1904 of the AND gate1901.

FIG. 20A shows a first full error tree 2000 for the further circuitconfiguration 1900 represented in FIG. 19 for the eventuality that onlythe individual reference elements and the associated error descriptionsare taken into account.

The first full error tree 2000 results in the fact that the erroneousHigh level at the output terminal 1904 of the AND gate 1901 results dueto an INCLUSIVE-OR operation 2001 of the following events:

-   -   the AND gate itself is erroneous, 2002;    -   the supply voltage is erroneous, 2003;    -   of a logical AND operation 2004 of a first event combination        2005 with a second event combination 2006.

The first event combination is an AND operation of the following events:

-   -   a first terminal of the second electrical resistor 1704, to        which the first input terminal 1902 of the AND gate 1901 is        connected, is at High level 2007;    -   a second terminal of the second electrical resistor 1704, to        which the second output terminal 1606 of the first optocoupler        1601 is connected, is at High level 2008;    -   an INCLUSIVE-OR operation 2009 of the following events:    -   a first terminal of the third electrical resistor 1705 is at        High level 2010;    -   the second output terminal 1606 of the first optocoupler 1601 is        at High level 2011 AND a second INCLUSIVE-OR operation 2012 is        fulfilled.

The second INCLUSIVE-OR operation 2012 is fulfilled if either a thirdINCLUSIVE-OR operation 2013 of the following events is fulfilled:

-   -   the first output terminal 1605 of the first optocoupler 1601 is        at High level 2014;    -   the first input terminal 1603 of the first optocoupler 1601 is        at High level 2015;    -   the second input terminal 1604 of the first optocoupler 1601 is        at Low level 2016;

or

if the first optocoupler 1601 is erroneous, 2017.

-   -   The second event combination 2006 is an AND operation of the        following events:    -   a first terminal of the fifth electrical resistor 1707, to which        the second input terminal 1903 of the AND gate 1901 is        connected, is at High level 2018;    -   a second terminal of the fifth electrical resistor 1707, to        which the fourth output terminal 1610 of the second optocoupler        1602 is connected, is at High level 2019;    -   an INCLUSIVE-OR operation 2020 of the following events:    -   a first terminal of the sixth electrical resistor 1708 is at        High level 2021;    -   the fourth output terminal 1610 of the second optocoupler 1602        is at High level 2022 AND a fourth INCLUSIVE-OR operation 2023        is fulfilled.

The fourth INCLUSIVE-OR operation 2023 is fulfilled if either a fifthINCLUSIVE-OR operation 2024 of the following events is fulfilled:

-   -   the third output terminal 1609 of the second optocoupler 1602 is        at High level 2025;    -   the third input terminal 1607 of the second optocoupler 1602 is        at High level 2026;    -   the fourth input terminal 1608 of the second optocoupler 1602 is        at Low level 2027;

or

if the second optocoupler 1602 is erroneous, 2028.

FIG. 20B shows a second full error tree 2100 for the further circuitconfiguration 1900 represented in FIG. 19 for the eventuality that thegroup error tree 1803 according to FIG. 18B is taken into account andinserted.

The second full error tree 2100 and the first full error tree 2000 areidentical except for the difference that the two error scenarios listedseparately in the first full error tree 2000, that the first optocoupler1601 is erroneous, 2017 and that the second optocoupler 1602 iserroneous, 2028, are now combined into the group error scenario“internal error in the optocoupler chip 1600” 1806 according to thegroup error tree 1803.

Second Exemplary Embodiment

In the second exemplary embodiment, as an alternative to the proceduredescribed above, the individual elements of the technical system 115,i.e. the electrical circuit 400 in the context of the exemplaryembodiment, are represented as Boolean equations which describe thebehavior of the individual element in the normal situation (error-freesituation) and in the presence of errors.

The equation system formed is solved for the considered predefinedundesirable event of the error tree. The solution is mapped to the fullerror tree.

Only “binary” failures and signal levels are considered in this examplewith the result that, for the individual elements of the electricalcircuit described in FIG. 13, which correspond to the electrical circuitin FIG. 4, the error equations set out in the following result for theindividual reference elements.

In FIG. 13, the elements coinciding with the circuit configuration inFIG. 4 are labeled with the same reference symbols.

Furthermore, the following elements are represented in FIG. 13:

-   -   a first terminal

R₁^(A₁)of the first electrical resistor R₁,

-   -   a second terminal

R₁^(A₂)of the first electrical resistor R₁,

-   -   a base terminal T₁ ^(B) of the transistor T₁,    -   an emitter terminal T₁ ^(E) of the transistor T₁,    -   a collector terminal T₁ ^(K) of the transistor T₁.

Reference Element: Electrical Resistor

The following equation results for an electrical resistor, whichdescribes all possible states of the resistor, specifically the threestates of an intact resistor, described as R^(OK), a short-circuitedresistor (R^(short)) and a blown resistor (R^(open)). The behavior of aresistor R with two terminals R^(A) ¹ and R^(A) ² is described by thefollowing Boolean equation:R ^(short)·(R ^(A) ¹ =R ^(A) ² )+R ^(open) +R ^(OK)=TRUE  (1)

If the resistor is short-circuited (R^(short)), both terminals R^(A) ¹and R^(A) ² possess an identical logical value. If the resistor isintact (R^(OK)) or blown (R^(open)), no statement can be made about thelogical values of the terminals. They may be identical or different.

Reference Element: npn Bipolar Transistor

The behavior of an npn bipolar transistor with an emitter terminal(T^(E)), a base terminal (T^(B)) and a collector terminal (T^(K)) isdescribed by the following Boolean equation:[T ^(short) +[T ^(OK)·(T ^(B) =H)]]·(T ^(E) =T ^(C))+T ^(open)++[T ^(OK)·(T ^(B) =L)]=TRUE (2)

If the transistor is intact (T^(OK)) and the base possesses the logicalvalue H, i.e. that a High level exists at the base terminal T^(B) or thetransistor is short-circuited (T^(short)), the emitter terminal (T^(E))and the collector terminal (T^(K)) possess identical logical values(T^(E)=T^(K)). If the transistor is blown (T^(open)) or intact (T^(OK))and blocked (T^(B)=L), no statement can be made about the logical valuesat the emitter and at the collector terminal of the transistor.

Reference Element: Electrical Capacitor

The equation for an electrical capacitor corresponds to equation (1) forthe electrical resistor.

Reference Element: Electrical Coil

The equation for an electrical coil corresponds to equation (1) for theelectrical resistor.

Reference Element: AND Gate

These stored general error equations for the reference elements aremapped to the elements actually contained in the electrical circuit 400,thereby enabling an analysis of the electrical circuit 400 representedin FIG. 4 and FIG. 13. Those situations which cause a High level at theoutput 409 are again considered.

The solutions of the following equations are accordingly determined:

$\begin{matrix}{{\left\lbrack {{R_{1}^{short} \cdot \left( {R_{1}^{A_{1}} = R_{1}^{A_{2}}} \right)} + R_{1}^{open} + R_{1}^{OK}} \right\rbrack++}〚{{T_{1}^{short} + {\left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = H} \right)}〛 \right. \cdot \left( {T_{1}^{E} = T_{1}^{C}} \right)} + T_{1}^{open} + \left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = L} \right)}〛 \right.} = {TRUE}}} & (3)\end{matrix}$

The following subsidiary conditions apply in this respect:

$\begin{matrix}{R_{1}^{A_{1}} = H} & (4) \\{R_{1}^{A_{2}} = {T_{1}^{C} = {{Out}_{1} = H}}} & (5)\end{matrix}$

The solution is:

$\begin{matrix}{\left\lbrack {R_{1}^{short} + R_{1}^{open} + R_{1}^{OK}} \right\rbrack + \left\lbrack {T_{1}^{open} + \left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = L} \right)}〛 \right.} \right.} & (7)\end{matrix}$

Since it is ensured that the first electrical resistor R₁ is always inone of the states short-circuited, open or intact, equation (7) can besimplified as follows:

$\begin{matrix}{{TRUE} + T_{1}^{open} + \left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = L} \right)} \right\rbrack} & (8)\end{matrix}$

This solution is converted directly into the error tree represented inFIG. 14 a.

An error tree 1400 for a High level for the output signal Out₁ 1401results due to an INCLUSIVE-OR operation 1402 of the events TRUE 1403which results through an INCLUSIVE-OR operation 1404 of the followingevents:

-   -   the first electrical resistor R₁ is open 1405;    -   the first electrical resistor R₁ is short-circuited 1406;    -   the first electrical resistor R₁ is intact 1407.

A further event which results in a High level for the output signal Out₁is the event that the transistor T₁ is blown 1408.

Furthermore, a High level for the output signal Out₁ results in the caseof a first AND interim signal 1409, which results from an AND operation1410 of the events that the transistor T₁ is intact 1411 and the baseterminal T₁ ^(B) displays a Low level 1412.

The cause of this pessimistic statement is the disjunction operation ofthe logical equations of the individual elements of the electricalcircuit 400. Thus, an electrical resistor can possess identical logicalvalues at its two terminals in each state. If it is short-circuited, itis ensured that the values at the terminals are identical. If it isblown or intact, the state of the surrounding elements of the electricalcircuit dictates the logical values. In view of the disjunctionoperation of the logical equations, restrictions due to other elementsof the electrical circuit 400 are not considered in order to preventpossible causes being wrongly suppressed. In the present circuit, thiswould occur for the situation where both the first electrical resistorR₁ and also the transistor T₁ are short-circuited. The output signalOut₁ can display both a High level and also a Low level. This would notbe detected in the case of a conjunction operation, however, since thecondition

H = R₁^(A₁) = R₁^(A₂) = Out₁ = T₁^(K) = T₁^(E) = Lgives the Boolean value wrongly and therefore drops out. A drawback isthat, on the basis of the disjunction operation, an intact or blownfirst electrical resistor R₁ is also identified as a cause of a Highlevel of the output signal Out₁. This is only correct, however, if thetransistor T₁ is blown or driven high. Both these causes are alreadycontained in the solution, however, with the result that the followingterm is obtained as the correct solution:

$\begin{matrix}{R_{1}^{short} + T_{1}^{open} + \left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = L} \right)} \right\rbrack} & (9)\end{matrix}$

The solution

TRUE + T₁^(open) + [T₁^(OK) ⋅ (T₁^(B) = L)]contains the solution according to the requirement (9).

It is guaranteed that this is always fulfilled in the case of adisjunction operation of the logical equations. The fuzziness which iscaused through not taking account of the interactions cannot result inan optimistic error tree in this case.

The evaluation of the electrical circuit 400 in relation to a Low levelfor the output signal Out₁ is effected analogously. The solutions ofequation (3) which fulfill the following conditions are determined:

$\begin{matrix}{R_{1}^{A_{1}} = H} & (10) \\{R_{1}^{A_{2}} = {T_{1}^{C} = {{Out}_{1} = L}}} & (11)\end{matrix}$T₁ ^(E)=L  (12)

The solution is:

$\begin{matrix}{\left\lbrack {R_{1}^{open} + R_{1}^{OK}} \right\rbrack + \begin{bmatrix}{\left\lbrack {T_{1}^{short} + \left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = H} \right)} \right\rbrack} \right\rbrack + T_{1}^{open} +} \\\left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = L} \right)} \right\rbrack\end{bmatrix}} & (13)\end{matrix}$

This is identical to:[R₁ ^(open)+R₁ ^(OK)]+[T₁ ^(short)+T₁ ^(OK)+T₁ ^(open)]  (14)

Since it is ensured that the transistor T₁ is always in one of thestates short-circuited, open or intact, this can be simplified asfollows:R₁ ^(open)+R₁ ^(OK)+TRUE  (15)

The resultant error tree is represented in FIG. 14 b. The resultant Lowlevel of the output signal 1420 results due to an INCLUSIVE-OR operation1421 of the events that the first electrical resistor is blown 1422, thefirst electrical resistor R₁ is intact 1423 and the event TRUE 1424which is always fulfilled since it results from the INCLUSIVE-ORoperation 1425 of the following events:

-   -   the transistor T₁ is open 1426;    -   the transistor T₁ is short-circuited 1427;    -   the transistor T₁ is intact 1428.

The description of the individual elements of the electrical circuitwith independent equations results in some circumstances in anexcessively pessimistic evaluation of the situation. Thus, for example,equation (1) for a resistor only describes a relationship between thelogical values of the terminals if the resistor is short-circuited. Inall other cases, all logical values are possible. This does not apply,however, in the context of a specific integration of a resistor into anelectrical circuit.

Therefore it may be worthwhile not to describe individual elements butelementary circuit components by their logical equations. In the case ofthe emitter circuit according to FIG. 4 and/or FIG. 13, the followinglogical equation is obtained:

$\begin{matrix}{\left\lbrack {{R_{1}^{short} \cdot T_{1}^{short}} + {R_{1}^{open} \cdot T_{1}^{open}}} \right\rbrack + {\quad{\left\lbrack {R_{1}^{short} \cdot \left( {{Out}_{1} = R_{1}^{A_{1}}} \right)} \right\rbrack + \left\lbrack {T_{1}^{short} \cdot \left( {{Out}_{1} = T_{1}^{E}} \right)} \right\rbrack + {\quad{\left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = H} \right) \cdot \left( {R_{1}^{open} + R_{1}^{OK}} \right) \cdot \left( {{Out}_{1} = T_{1}^{E}} \right)} \right\rbrack + {\quad{\left\lbrack {T_{1}^{OK} \cdot R_{1}^{open} \cdot \left( {T_{1}^{B} = L} \right)} \right\rbrack + \left\lbrack {T_{1}^{open} \cdot R_{1}^{OK} \cdot \left( {{Out}_{1} = R_{1}^{A_{1}}} \right)} \right\rbrack + {\quad{\left\lbrack {T_{1}^{OK} \cdot R_{1}^{OK} \cdot \left( {T_{1}^{B} = L} \right) \cdot \left( {{Out}_{1} = R_{1}^{A_{1}}} \right)} \right\rbrack = {TRUE}}}}}}}}}} & (16)\end{matrix}$

The solution of equation (16) which fulfills the following conditions isnow determined:

$\begin{matrix}{R_{1}^{A_{1}} = {H = {Out}_{1}}} & (17)\end{matrix}$T₁ ^(E)=L  (18)

The solution is:

$\begin{matrix}{\left\lbrack {{R_{1}^{short} \cdot T_{1}^{short}} + {R_{1}^{open} \cdot T_{1}^{open}}} \right\rbrack + \left\lbrack R_{1}^{short} \right\rbrack + {\quad{\left\lbrack {T_{1}^{OK} \cdot R_{1}^{open} \cdot \left( {T_{1}^{B} = L} \right)} \right\rbrack + \left\lbrack {T_{1}^{open} \cdot R_{1}^{OK}} \right\rbrack + \left\lbrack {T_{1}^{OK} \cdot R_{1}^{OK} \cdot \left( {T_{1}^{B} = L} \right)} \right\rbrack}}} & (19)\end{matrix}$

This can be simplified to:

$\begin{matrix}{\left\lbrack T_{1}^{open} \right\rbrack + \left\lbrack R_{1}^{short} \right\rbrack + \left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = L} \right)} \right\rbrack} & (20)\end{matrix}$

The corresponding error tree is represented in FIG. 14 c. According tothis, a High level for the output signal Out₁ 1440 results due to anINCLUSIVE-OR operation 1441 of the events that the transistor T₁ isblown 1442, the first electrical resistor R₁ is short-circuited 1443 anda second AND interim signal 1444, which results from an AND operation1445 of the events that the transistor T₁ is intact 1446 and that a Lowlevel exists at the base terminal T₁ ^(B) of the transistor T₁ 1447.

The solution of equation (16) which fulfills the following conditionscan be determined analogously:

$\begin{matrix}{R_{1}^{A_{1}} = H} & (21)\end{matrix}$Out₁=T₁ ^(E)=L  (22)

The solution is:

$\begin{matrix}{\left\lbrack {{R_{1}^{short} \cdot T_{1}^{short}} + {R_{1}^{open} \cdot T_{1}^{open}}} \right\rbrack + \left\lbrack T_{1}^{short} \right\rbrack + {\quad{\left\lbrack {T_{1}^{OK} \cdot \left( {T_{1}^{B} = H} \right) \cdot \left( {R_{1}^{open} + R_{1}^{OK}} \right)} \right\rbrack + \left\lbrack {T_{1}^{OK} \cdot R_{1}^{open} \cdot \left( {T_{1}^{B} = L} \right)} \right\rbrack}}} & (23)\end{matrix}$

This can be simplified to:

$\begin{matrix}{\left\lbrack T_{1}^{short} \right\rbrack + \left\lbrack R_{1}^{open} \right\rbrack + \left\lbrack {T_{1}^{OK} \cdot R_{1}^{OK} \cdot \left( {T_{1}^{B} = H} \right)} \right\rbrack} & (24)\end{matrix}$

The corresponding error tree is represented in FIG. 14 d. According tothis, a Low level for the output signal Out₁ 1460 results due to anINCLUSIVE-OR operation 1461 of the events that the transistor T₁ isshort-circuited 1462, the first resistor R₁ is blown 1463 and a thirdAND interim signal 1464, which results from an AND operation 1465 of thefollowing events:

-   -   the transistor T₁ is intact 1466;    -   the first electrical resistor R₁ is intact 1467;    -   the base terminal T₁ ^(B) of the transistor T₁ displays a High        level 1468.

A plurality of alternatives and/or further versions of the exemplaryembodiments described above are represented in the following.

Failure rates, i.e. error probabilities, can be associated with theindividual elements, from which a full failure probability in relationto the predefined undesirable event can be determined in the context ofan error tree analysis of the full error tree determined.

In general, an error tree analysis can be executed on the correspondingfull error tree, for example according to the error tree analysis methodknown from (3).

Furthermore, the resultant error tree can be simplified into acause/effect graph in which identical causes respectively occurring onmultiple occasions for an event are combined and represented as a causein the cause/effect graph.

Furthermore, the individual error probabilities for the referenceelements can be expanded according to the so-called Diagnostic Coveragemethod to the effect that depending on the integration of a referenceelement as an element in an electrical circuit, the error probability ofthe element actually available in the electrical circuit behavesdifferently. This can be taken into account in the net lists, whereby animproved, more reliable full error tree can be generated.

Furthermore, the error tree can be expanded or contracted on a freelyeditable basis, whereby for example an expansion can be effected by theaddition of a supplementary error tree. An example of such asupplementary error tree can be seen in the fact that for examplerequirements or an error tree describing the electromagneticcompatibility of the corresponding electrical circuit considered areadded at the corresponding points of the full error tree.

Furthermore, different and/or additional types of error tree can beenvisioned, for example an error tree where it is not an erroneoussignal level that is considered but an erroneous change in signal level(edge change) from a High level to a Low level or from a Low level to aHigh level.

The invention has been described in detail with particular reference topreferred embodiments thereof and examples, but it will be understoodthat variations and modifications can be effected within the spirit andscope of the invention.

1. A method for determining a full error description for at least onepart of a technical system, by a computer, comprising: describing thesystem by a stored system description which can be processed by thecomputer, the system description containing information on elementsavailable in the system and on links between the elements; determiningan element error description for each element on which information iscontained in the system description, the element error description beingdetermined using a stored error description which is respectivelyassociated with a reference element, describing possible errors of thereference element with the element error description, and describingpossible errors of a respective element with an error description of thereference element; grouping at least a portion of the reference elementsinto a reference element group based on the stored system description;determining a group error description for the elements of the referenceelement group using one of a plurality of stored group errordescriptions, each of which is respectively associated with a specificreference element group, each stored group error description describingpossible errors of the elements of the respective reference elementgroup, the group error description specifying at least one error whichhas an effect on all elements of the reference group and specifying howthe error affects the elements of the reference element group by takinginto account the links between the elements from the stored systemdescription; and determining a full error description from the elementerror descriptions and the group error descriptions taking into accountthe links between the elements, where the full error description isdetermined as a full error tree, and where the full error tree ischanged by varying a framework condition.
 2. The method as claimed inclaim 1, where the framework condition is varied by adding asupplementary error tree.
 3. The method as claimed in claim 1, where theframework condition describes electromagnetic compatibility.
 4. A systemto determine a full error description of at least one part of atechnical system, comprising: a processor to: describe the system by asystem description, the system description containing information onelements available in the system and on links between the elements;determine an element error description for each element on whichinformation is contained in the system description, the element errordescription being determined using a stored error description which isrespectively associated with a reference element; describe possibleerrors of the reference element with the element error descriptions;describe possible errors of a respective element with an errordescription of the reference element; group at least a portion of thereference elements into a reference element group based on the systemdescription; determine a group error description for the elements of thereference element group using one of a plurality of stored group errordescriptions, each of which is respectively associated with a specificreference element group, each stored group error description describingpossible errors of the elements of the respective reference elementgroup, the group error description specifying at least one error whichhas an effect on all elements of the reference group and specifying howthe error affects the elements of the reference element group by takinginto account the links between the elements from the stored systemdescription; and determine a full error description from the elementerror descriptions and the group error descriptions, taking into accountthe links between the elements; and at least one memory that holdsinformation comprising: the plurality of stored error descriptions, eachstored error description describing possible errors of a respectivelyassociated reference element; and the plurality of stored group errordescriptions, each of which is associated with a respective referenceelement group, each stored group error description describing possibleerrors of the elements of the respective reference element group, eachgroup error description specifying at least one error which has aneffect on all elements of the reference group and specifying how theerror affects the elements of the reference element group by taking intoaccount the links between the elements from the system description, theprocessor performing in such a manner that the full error description isdetermined as a full error tree, and the full error tree is changed inrelation to predefinable framework conditions.
 5. The system as claimedin claim 4, where the processor performs in such a manner that thechange is effected by the addition of a supplementary error tree.
 6. Thesystem as claimed in claim 4, where the framework condition describes byconditions in relation to electromagnetic compatibility.
 7. A method fordetermining cause of a failure of an electrical circuit, by a computer,comprising: storing a description of the electrical circuit which can beprocessed by the computer, including information on circuit elements ofthe electrical circuit and on links between the circuit elements;selecting element error descriptions corresponding to reference circuitelements corresponding to the circuit elements of the electrical circuitfrom a plurality of pre-stored error descriptions; grouping at leastsome of the circuit elements into a reference element group when basedon the description of the electrical circuit, the circuit elementscorrespond to the same reference element; selecting a group errordescription for the circuit elements of the reference element group froma plurality of pre-stored group error descriptions associated withreference element groups, each group error description describingpossible failures of the circuit elements of the reference element groupand specifying how the failures affects the circuit elements of thereference element group, by taking into account the links between thecircuit elements according to the description of the electrical circuit;and determining a full error description from the element failuredescriptions and the group error descriptions, as a full error tree,wherein the full error tree is used to identify the cause of the failureof the electrical circuit.